ICANN has taken considerable heat from many parties that it has yet to produce a convincing economic study detailing the market demand and viability of new generic top level domains (gTLDs). But a recently issued, ICANN-funded technical study makes a strong case for delaying the introduction of new gTLDs and other root zone changes until domain name system (DNS) security in the form of DNSSEC (the “signed root”) has been implemented to help assure the long-term safety and security of the DNS.

The Executive Summary of the September 18th study describes its purpose and the critical juncture the DNS is now approaching:

Until recently the root zone of the Domain Name System (DNS) has enjoyed two important stabilizing properties:

• it is relatively small— currently the root zone holds delegation information for 280 generic, country-code, and special-purpose top-level domains (TLDs), and the size of the root zone file is roughly 80,000 bytes; and

• It changes slowly—on average, the root zone absorbs fewer than one change per TLD per year, and the changes tend to be minor.

The root system has therefore evolved in an environment in which information about a small number of familiar TLDs remains stable for long periods of time. However, the type, amount, and volatility of the information that is contained in the root zone are expected to change as a result of the following four recent or pending policy decisions:

• support for the additional larger addresses associated with Internet Protocol version 6 (IPv6); and

• the addition of new TLDs.

This report presents the results of a study that was undertaken to determine if, how, and to what extent “scaling the root” will affect the management and operation of the root system. (Emphasis added)

The study then goes on to make several key findings and conclusions. Among them are:

• Any increase in the size or volatility of the root zone involves risk. If the only objective of root system management were stability, no change to the current size or composition of the root would be justifiable. Whether or not—and how rapidly—to introduce specific changes to the root zone are therefore policy decisions that must balance the expected benefit of the change against the expected impact on root system stability.

• In order for “early warning” to be effective, changes to the root must be made gradually. Except in the very short term, we cannot confidently predict what the effect (and side-effects) of making a particular change to the root will be. In order for the strategy of “early warning” to succeed, the rate at which we introduce changes to the root must be gradual enough to allow the system to respond and adapt within the “early warning” horizon.

• The risks associated with adding DNSSEC, new TLDs, IDNs, and IPv6 addresses to the root simultaneously can be managed only with changes to the current arrangements of the root server operators. Signing the root would, by itself, immediately increase the size of the root zone by roughly a factor of 4 and increase the size of the priming response message. The consequences of these two effects could be absorbed by the root server operators without loss of service to the Internet, but would require them to substantially re-plan in order to recover lost headroom (deliberate defensive over-provisioning) in both server capacity and bandwidth. Adding new TLDs, IDNs, and IPv6 addresses would also increase the size of the root zone; adding IPv6 addresses would in addition increase the size of the priming response. With aggressive re-planning (some of which is already underway), the system is capable of managing the risks associated with adding either (a) DNSSEC or (b) new TLDs, IDNs, and IPv6 addresses over a period of 12-24 months—but not both. (Emphasis added)

• If a choice must be made, DNSSEC should come first. The effects of signing the root would be felt immediately—a sudden jump in the size of the root zone, and a sudden increase in the volume and type (TCP vs. UDP) of root server query traffic. The effects of the other changes would be spread out over some period of time (longer or shorter depending on the rate at which the system is able to adapt). Because the step-function impact of signing the root will be proportionally greater the larger the root becomes, deploying DNSSEC before the other changes have increased the size of the root would significantly lower the risk it presents to DNS stability. (Emphasis added)

So here we what appears to be a very thoughtful and well substantiated study focusing on ICANN’s primary technical responsibility – assuring that the DNS does not suffer a catastrophic “crash”. It advises that DNSSEC should be introduced at least 1-2 years before new TLDs, IDNs, or IPv6 addresses are launched. But IPv6 is on the way and ICANN has just announced that ccTLD IDNs will ramp up starting next month. According to the study, bringing those changes plus new TLDs online in advance of DNSSEC puts the Internet enhancement cart before the security horse. Within this context of events it appears that if something has to be delayed to reduce overall DNS operational risk it would, by process of elimination, be new TLDs.

Given ICANN’s admission at last week’s Congressional oversight hearing that the introduction schedule for new gTLDs would likely slip, the lukewarm reception they have received from the U.S. government, the demand for additional pre-introduction studies from a GAC that is newly empowered under the Affirmation of Commitments (AOC) announced on September 30th, and the policy dilemma posed by the insistence of trademark interests that new gTLDs must be accompanied by draconian trademark protections that are anathema to other sectors of the ICANN community, they already face fierce headwinds. And now this study adds the weight of technical concerns against any imminent introduction.

Of course, it now appears unlikely that the application window for new gTLDs will open before the second half of 2010, which would mean that none would likely come online before the first part of 2011. If ICANN can implement DNSSEC in 2010 then a 1-2 year delay in adding new TLDs to the root would not greatly push back the date by which new gTLDs can commence operation without risking DNS destabilization. That assumes, of course, that ICANN’s new operational dynamic under the AOC does not catalyze additional resistance to the introduction of unlimited new gTLDs.